Anubis Ransomware + CitrixBleed 2: NC SMB RMM & BYOVD Defense

Anubis RaaS chains CitrixBleed 2 with RMM abuse & BYOVD in July 2026. NC SMB RMM governance & signed-driver blocklist playbook. (336) 886-3282.

Cover Image for Anubis Ransomware + CitrixBleed 2: NC SMB RMM & BYOVD Defense

TL;DR: The Hacker News and Sophos Counter Threat Unit reported July 2, 2026 that ransomware groups are chaining three techniques to break into SMBs: CitrixBleed 2 (CVE-2025-5777) for initial access, legitimate Remote Management and Monitoring (RMM) tools for persistence, and BYOVD (Bring Your Own Vulnerable Driver) for EDR evasion. The Anubis RaaS group — a 2024 rebrand of Sphinx ransomware — is the most prolific operator of this playbook, using ScreenConnect, Zoho Assist, MeshAgent, Remotely, UltraVNC, and Total Software Deployment for hands-on-keyboard lateral movement. For NC SMBs, this is the pattern that turns a NetScaler CVE from "we patched" to "we got encrypted three weeks later." The defense requires a documented RMM inventory, phishing-resistant MFA on every RMM, application allowlisting, and the Microsoft vulnerable-driver blocklist actively enforced.

Key takeaway: The 2026 ransomware playbook does not rely on custom malware. It relies on legitimate IT tools you already have running and vulnerable drivers you have not blocked. Your defense posture must assume the attacker uses the tools of an IT admin.

Do you have an inventory of every RMM tool on your network with MFA enforced on each? Contact Preferred Data Corporation for an RMM inventory and BYOVD posture review. BBB A+ rated. On-site within 200 miles of High Point. Call (336) 886-3282.

Who Is Anubis and Why Does This Group Matter for NC SMBs?

Anubis is a ransomware-as-a-service (RaaS) group that emerged in late 2024 as a rebrand of the earlier Sphinx ransomware operation. Sophos Counter Threat Unit's July 2, 2026 disclosure documents Anubis affiliates chaining CitrixBleed 2 (CVE-2025-5777, still exploited despite a July 2025 patch) with legitimate RMM abuse and BYOVD driver exploits to encrypt SMB targets across manufacturing, construction, healthcare, professional services, and financial services.

Three characteristics make Anubis particularly dangerous for NC SMBs:

  • Affiliate model with broad coverage. RaaS affiliates target opportunistically — any SMB with an unpatched edge device is fair game regardless of industry.
  • Living-off-the-land tradecraft. Anubis affiliates prefer legitimate IT tools (RMM, PSExec, remote scripting) over custom malware, which makes signature-based detection ineffective.
  • BYOVD for EDR evasion. Anubis affiliates carry signed but vulnerable drivers to disable endpoint detection from kernel space — a technique that defeats even well-tuned EDR without proper blocklist enforcement.

Anubis's typical attack chain observed in June-July 2026:

  1. Initial access: Exploit CVE-2025-5777 (CitrixBleed 2) or CVE-2026-8451 (CitrixBleed 2 pattern) against an internet-facing NetScaler.
  2. Session hijack: Use leaked session tokens to authenticate as a valid user.
  3. RMM deployment: Drop ScreenConnect, Zoho Assist, MeshAgent, or Remotely onto a compromised endpoint for persistence.
  4. Discovery: Enumerate domain controllers, file shares, backup infrastructure, cloud services.
  5. BYOVD evasion: Deploy a signed vulnerable driver (e.g., historical drivers from Micro-Star International, ASUS, Zemana) to disable EDR from kernel.
  6. Credential harvesting: Mimikatz, LSASS dump, DPAPI extraction.
  7. Backup destruction: Delete Veeam, Rubrik, or Azure Backup snapshots. Disable Volume Shadow Copy Service.
  8. Data exfiltration: Rclone or Mega.io for exfiltration.
  9. Encryption: Deploy Anubis payload across the fleet during off-hours (Friday afternoon, holiday weekend, or overnight).
  10. Extortion: Double-extortion demand (encryption + threatened data leak) via a Tor-hosted negotiation site.

Typical dwell time: 7-14 days from initial access to encryption. For an NC SMB, that means an attack that started on July 4 weekend could detonate the weekend of July 25 — long after the pre-holiday patching decision.

What Is BYOVD and Why Does It Defeat Standard EDR?

Bring Your Own Vulnerable Driver (BYOVD) is a technique where the attacker installs a legitimately signed Windows kernel driver that contains a known vulnerability, then exploits that vulnerability to disable security software or gain kernel-mode code execution.

How BYOVD works:

  1. Attacker has admin on a Windows endpoint.
  2. Attacker drops a signed but vulnerable driver — for example, a historical Micro-Star RTCore64.sys, ASUS AsIO.sys, or Zemana zam.sys. The driver is legitimately signed by Microsoft's Windows Hardware Quality Labs (WHQL) or a trusted vendor.
  3. Attacker registers the driver as a Windows service and starts it.
  4. Attacker exploits the driver's vulnerability (arbitrary memory read/write, kernel-mode code execution).
  5. Attacker uses kernel access to disable EDR, terminate protected processes, or install a rootkit.

The insidious detail is that the driver is signed and looks legitimate to any signature-based defense. Anti-virus and even most EDR products will not block the driver on load. The attacker gets kernel-mode code execution without needing a zero-day.

Why BYOVD defeats standard EDR:

  • EDR runs in user mode or has a kernel-mode agent that itself can be terminated from kernel. A BYOVD attacker with kernel code execution can terminate the EDR process directly.
  • Signature-based drivers are not blocked by default. Windows loads any properly signed driver unless a blocklist is enforced.
  • The vulnerable driver is not itself malware. It is a legitimate driver with a bug — deleting it would break other software.

The mitigation: Microsoft maintains a Vulnerable Driver Blocklist that identifies known BYOVD driver samples and blocks them from loading. It is enabled by default on Windows 11 22H2 and later. On earlier Windows versions and Windows Server, it must be explicitly enabled via Group Policy or Windows Defender Application Control (WDAC).

Every NC SMB endpoint should have the Microsoft Vulnerable Driver Blocklist enabled and enforced. Verification: HKLM\SYSTEM\CurrentControlSet\Control\CI\Config\VulnerableDriverBlocklistEnable = 1.

Which RMM Tools Are Anubis and Similar Groups Abusing?

The July 2, 2026 Sophos disclosure names six RMM and remote-access tools observed in Anubis affiliate tradecraft:

ToolLegitimate UseAbuse Pattern
ScreenConnect (ConnectWise Control)MSP remote support, IT help deskSilent deploy as persistence, session takeover
Zoho AssistOn-demand remote supportDropped as second-stage RAT after initial access
MeshAgent (MeshCentral)Open-source remote managementFree, cross-platform, hard to distinguish from legitimate IT
RemotelyCross-platform remote supportSimilar to MeshAgent, low forensic footprint
UltraVNCCross-platform VNCLegacy tool still deployed on many SMB endpoints
Total Software DeploymentEndpoint management and deploymentUsed for lateral movement package delivery

The problem for NC SMBs is that most of these are legitimate tools. Your IT team may already use ScreenConnect. Your MSP may use Zoho Assist. An open-source deployment of MeshAgent may exist as a legacy remote-access solution. Blocking all of them without understanding your inventory would break legitimate operations.

The correct posture is inventory + governance, not blanket ban.

  • Inventory every RMM tool installed on your network. Endpoint telemetry, network flow analysis, EDR queries.
  • Categorize by approval status. Approved (sanctioned, MFA-enforced, deployed by IT), Legacy (still deployed but planned for removal), Unapproved (shadow RMM installed by users or attackers).
  • Remove unapproved RMM tools. Alert on any new install.
  • Enforce phishing-resistant MFA on every approved RMM console.
  • Restrict RMM installation permissions. Only sanctioned IT accounts can install RMM.
  • Log every RMM session to a central SIEM with alerting on off-hours or unusual patterns.

What Are the Documented Anubis Tradecraft Indicators of Compromise?

Sophos CTU's July 2 report documents the following Anubis affiliate IoCs. NC SMBs should hunt for these across their fleet before the July 4 weekend.

File-based IoCs:

  • New ScreenConnect Client (....).exe binaries in %LOCALAPPDATA% or %APPDATA% folders that were not deployed by the sanctioned MSP.
  • MeshAgent MeshAgent.exe or MeshAgent64.exe in unexpected locations.
  • Zoho Assist installer files (ZohoAssistUnAttended.exe, ZohoAssistTechnicianInstaller.msi) from unknown sources.
  • Signed but vulnerable driver files (RTCore64.sys, AsIO.sys, zam.sys, PROCEXP.sys) written to %WINDIR%\System32\drivers\ or %WINDIR%\System32\.

Process-based IoCs:

  • ScreenConnect service running with a customization URL that does not match your sanctioned MSP tenant.
  • Non-standard RMM tools running on file servers or domain controllers.
  • rundll32.exe, regsvr32.exe, mshta.exe, certutil.exe spawned from RMM tools.
  • wmic.exe, psexec.exe, pwsh.exe execution outside of change-management windows.

Network-based IoCs:

  • Outbound HTTPS to ScreenConnect / ConnectWise Control tenant URLs that are not sanctioned.
  • Outbound to MeshAgent servers not on your inventory.
  • Outbound to pastebin.com, paste.ee, dpaste.com, or similar for staged payload delivery.
  • Rclone or Mega.io outbound activity, especially from file servers.

Identity-based IoCs:

  • Anomalous sign-in from Citrix session with impossible-travel or unusual geolocation (post CitrixBleed 2 exploitation).
  • Service account interactive logons.
  • Domain admin account activity outside of change-management windows.

What Should NC SMBs Do This Week?

The Wednesday-through-Friday pre-holiday hardening cycle for Anubis-adjacent defense.

Wednesday priorities:

  • RMM inventory. Full endpoint scan for every RMM tool installed. Categorize (Approved / Legacy / Unapproved). Remove unapproved.
  • Phishing-resistant MFA enforced on every approved RMM console.
  • Sanctioned RMM allowlist in the CASB / EDR — only sanctioned RMM installers allowed to execute.

Thursday priorities:

  • Enable Microsoft Vulnerable Driver Blocklist on every Windows endpoint. Verify with the registry key check.
  • Enforce WDAC / AppLocker for a pilot fleet if not already deployed.
  • NetScaler / Citrix Gateway patching. Confirm CVE-2025-5777 (Citrix Bleed 2 original) and CVE-2026-8451 (CitrixBleed 2 return) are patched. Terminate every existing session.

Friday priorities:

  • Hunt for IoCs using the file, process, network, and identity indicators above.
  • Confirm 24/7 monitored SOC coverage through the July 4 weekend.
  • Verify immutable backups with a live restore test.
  • Confirm on-call escalation for the long weekend.

Explore Preferred Data's cybersecurity services

How Does This Chain Into MSP Supply Chain Risk?

The Sophos CTU report also documents a partnership between VECT and TeamPCP announced in March 2026 to combine supply-chain credential theft with ransomware deployment. This is the same pattern as the July 2, 2026 SimpleHelp CVE-2026-48558 disclosure — attackers targeting the RMM tools that MSPs use to manage SMB clients.

For NC SMBs that outsource IT to an MSP, this is a distinct risk vector: the MSP's own RMM console is now a target. Every SMB should ask the MSP:

  • Is phishing-resistant MFA enforced on the MSP's RMM console?
  • Is the RMM console patched against the current KEV list (SimpleHelp, ConnectWise, ScreenConnect, Kaseya, N-able)?
  • Does the MSP have MDR coverage on their own environment?
  • What is the MSP's incident response commitment if their infrastructure is compromised?
  • What is the MSP's cyber insurance posture and how does it interact with the SMB's own policy?

If the MSP cannot answer these questions crisply, the SMB is inheriting the MSP's security posture as a supply-chain dependency. In an environment where SimpleHelp, ConnectWise, ScreenConnect, and Kaseya have all had critical KEV CVEs, MSP supply chain is a real risk to evaluate at renewal.

Key takeaway: Your SMB security posture is a function of your MSP's security posture. Ask your MSP the hard questions. If your MSP is Preferred Data, we will show you our answers on request.

Learn about Preferred Data's managed IT services

How Does Preferred Data Deliver Anubis-Chain Defense for NC SMBs?

Preferred Data Corporation provides RMM inventory and governance, BYOVD posture assessment, edge-device management, 24/7 managed detection and response, and expedited incident response for NC manufacturers, construction firms, healthcare providers, professional-services offices, and financial institutions. With 37+ years of North Carolina IT expertise and an average client retention of 20+ years, we build layered defense against the specific tradecraft observed in Anubis, LockBit, Akira, and other 2026 ransomware operations.

Our Anubis-chain defense package includes RMM inventory across every endpoint, phishing-resistant MFA enforcement on all sanctioned RMM consoles, Microsoft Vulnerable Driver Blocklist enforcement, application allowlisting rollout, CitrixBleed 2 patch validation, session termination, IoC hunt, and 24/7 monitored SOC coverage through the July 4 weekend.

For businesses within 200 miles of High Point, we deliver on-site response for confirmed incidents.

Review our cybersecurity checklist

Frequently Asked Questions

Is Anubis the same as Anubis Networks or Anubis Android malware?

No. Anubis ransomware is a distinct RaaS group that emerged in late 2024 as a rebrand of Sphinx ransomware. It is unrelated to the earlier Anubis Networks and to the Android banking trojan named Anubis.

What is CVE-2025-5777 (the original CitrixBleed 2)?

A critical Citrix NetScaler ADC and Gateway vulnerability disclosed in 2025 that allowed authentication bypass and session token theft when the appliance was configured as a Gateway or AAA virtual server. Patched by Citrix in July 2025, but still actively exploited against unpatched deployments in 2026. Distinct from the July 2026 CVE-2026-8451 (a new NetScaler memory overread in the SAML IdP path).

How do I check if Microsoft Vulnerable Driver Blocklist is enabled?

Windows 11 22H2+ has it enabled by default. Verify: Get-MpComputerStatus | Select-Object AMServiceEnabled, IsTamperProtected and check registry key HKLM\SYSTEM\CurrentControlSet\Control\CI\Config\VulnerableDriverBlocklistEnable. Value 1 = enabled. For Windows 10 and Windows Server, deploy via Group Policy or WDAC policy.

Should we remove all RMM tools from our environment?

No — you need at least one sanctioned RMM for legitimate remote support. The correct posture is inventory, categorize, remove unapproved, and enforce phishing-resistant MFA and logging on approved RMM.

How do I detect a legitimately signed but vulnerable driver load?

Sysmon Event ID 6 (Driver Loaded) captures driver load events. Compare against Microsoft's Vulnerable Driver Blocklist reference and vendor threat feeds. Modern EDR products include BYOVD detection modules.

What does Anubis charge for ransom?

Ransom demands vary by victim size. Public reporting suggests $500K-$5M for mid-market SMB victims, negotiable downward. NC SMBs should not pay — restore from immutable backup, engage IR provider, and report to FBI IC3 (ic3.gov).

Can Preferred Data audit our RMM posture this week?

Yes. Our RMM inventory and governance audit is a 5-7 day engagement — endpoint discovery, MFA validation, policy review, and remediation plan. Call (336) 886-3282.

Support